200 OK Analysis of CVE-2021-44228 log4 Vulnerability for ECG Software


Background

In reference to CVE-2021-44228, the Log4j Remote Code Execution (RCE) 0-day vulnerability and exploit: Based on our understanding, in logging software component "log4j" releases prior to 2.14.1 have a vulnerability so that an attacker who can do the following would be able to run software (execute code) on the system running log4j:

  • Generate log message content

  • Setup an LDAP server reachable from the system running log4j

 

Impact on ECG Software

log4j was included in Alpaca until release 8.0 released January 18, 2021. As of that release, only the naming (interface API) is included in Alpaca. Thus the vulnerabilities in CVE-2021-44228 are not present in Alpaca versions 8.0 and later.

log4j was included in CallReporter until release 3.4 released September 24, 2021. As of that release, only the naming (interface API) is included in CallReporter. Thus the vulnerabilities in CVE-2021-44228 are not present in CallReporter versions 3.4 and later.

Older versions of Alpaca and CallReporter should be upgraded to remove log4j. Users can mitigate vulnerability of running older releases by filtering outbound access using firewalls to prevent any attempts to connect outbound from the system where Alpaca or CallReporter are operating.

Vulnerability Testing

ECG has performed penetration testing on the log4j naming (interface API) included in Alpaca 8.0 and CallReporter 3.4, and confirmed that the vulnerability does not exist. The vulnerable log4j will perform lookups against remote databases (JNDI substitution), while the Alpaca logging capability performs no such remote connections.

CVE-2021-44228 vulnerability requires an attacker to be able to generate arbitrary log messages. We believe this was never the case in ECG products.